Android’s Anomaly?

18

May

2011

There are reports coming out today about Google Android and how approximately 99.7% of its users are potentially open to compromise. This news cycle started by the Ulm University publishing some information on the 13th of May showing some results. I'm sure this story will develop and CTAC may follow-up to my blog with more details; however, let us focus on what journalists are reporting as fact:

Upgrade to Android 2.3.4 or 3.0.

Versions 2.3.3 and prior are vulnerable.

Your Android and an attacker must both be physically logged into the same public unencrypted WiFi connection.

The issue at hand is the vulnerable OS versions connect into Calendar Sync, Contacts Sync and Picasa Sync in the clear plaintext. The new version of Android connects to these services over WiFi via encryption, or HTTPS. The exclusion is Picasa Sync which may still use plaintext connection. A chart provided by Ulm University is shown for convenience below:

Android version

Calendar Sync

Contacts Sync

Picasa Sync (Gallery)

3.0

yes

yes

?

2.3.4

yes

yes

no

2.3.3

no

no

no

2.2.1

no

no

n/a

2.2

no

no

n/a

2.1

no

no

n/a

What exactly is the issue, now that we know how to potentially protect ourselves? Google uses a protocol called ClientLogin for authentication into applications. Unfortunately the implementation of ClientLogin that sends back a token called authToken may be in the clear plaintext. And it is during a public open WiFi that this authToken may be swiped by an attacker, and then used to impersonate you.

What is the feasibility of this occuring? Lots of cybercrime occurs remotely. Sure there is WiFi "wardialing"; however, the chances I think of a regular user coming under attack are probably not that high. Being paranoid, I still recommend upgrading your Android OS and stay away from Public WiFi networks. Be mindful of where you are and what your systems connect into.